Fixing your cybersecurity blind spot

When facing today’s advanced threat landscape, in-depth layered defence has long been best practice. The first line of defence (other than solid training and system maintenance) is usually around the perimeter: AV, next-generation firewalls and intrusion prevention systems (IPS). Additional layers of defence may include security information and event management (SIEM) systems, data loss prevention (DLP) and newer endpoint detection and response (EDR) solutions.

But there is a blind-spot in these layers: after an adversary has breached the perimeter, but before they have compromised key systems and exfiltrated data. It is difficult today to quickly spot, track and thwart advanced malware and attack campaigns precisely at these stages. What is needed is real-time visibility on potential threat activity after the initial exploit, as adversaries recon your network, look for weaknesses and prepare to exfiltrate data.

Current blind spot

The problem is that perimeter defences can alert on known threats, but have no visibility on an adversary’s reconnaissance, lateral movement, privilege escalation, nor what other systems might be compromised. The reason for this is that Data Loss Prevention (DLP) and Endpoint Detection and Response (EDR) systems alert on suspicious access to and/or theft of critical assets. Unfortunately, they are not designed to spot, let alone track, related attack behaviour occurring across the network.

SIEM systems can provide more visibility, yet are defensive in nature, reactive to known indicators; not optimal when looking to proactively investigate suspicious lateral movement or new/unknown malware related activity. Filtering out and prioritising real Indicators of Compromise (IoC) from the overwhelming number of alerts can be a serious challenge. In addition, getting a complete picture of an entire attack campaign working across the network is tough, and time-consuming.

The most dangerous threats today are not just malware but human orchestrated attack campaigns. The malware component itself is designed to be stealthy, to circumvent layers of security undetected. And they have been successful; many breaches go undetected until a third party alerts the victim.

Better post exploit visibility

What is needed is fast and flexible visibility on the tradecraft of the attacker, after the initial exploit (detected or not) and before data or systems are further compromised: the internal reconnaissance, the lateral movement, external communications, escalated or stolen credentials. With better post exploit visibility businesses can:

Proactively hunt for human-guided campaigns; investigate to see if currently active threats might be lurking within their network. When speed is of the essence, IT teams can better connect the dots across alerts, systems, and behaviour;

Optimise existing SOC operations and investments in current security tools, for example faster recognition of false positives and prioritisation of real threats;

Stop exfiltration and thwart attack campaigns in their entirety. Track the lateral movement of adversaries, systems they’ve touched or payloads dropped, and eliminate all attack components before the damage is done.

The scope, quantity of data and speed of the threat environment requires post exploit visibility to be automated as much as possible. However complex attack campaigns are waged by human attackers and as our experience AI already demonstrates, there is no analytics machine more complex and sophisticated than the human mind. Automation can never replace the human defenders behind the front lines but rather assist and ehance their capabilities.

As more is understood about threat behaviour and the processes to spot, automation becomes more practicable – and critical. This is evolving quickly but can already be put into three categories.

Workflow Automation: automation of the day-to-day SOC workflow, where disparate processes, sometimes manual phone and email communications, or the use of spreadsheets is integrated and automated. This is similar to what occurred with IT help desk automation in the 1990s.

Automated Threat Response: automated countermeasures on endpoints and networks to respond to threats before data is exfiltrated. Development of security playbooks and “out of the box” countermeasures, for example confirmed malware attack means quarantine host and block IP at firewall.

The real battle with advanced attack campaigns occurs after a breach has already happened. What becomes critical is real-time visibility on attacker tradecraft. Post exploit visibility makes it harder for adversaries to hide, and easier for you to defeat their attacks. It’s time for organisations to fix their cybersecurity blind spot.

Latest Videos

Hear from Invictus Games Sydney 2019 CEO, Patrick Kidd OBE and Head of Technology, @James-d-smith -share their insights on how they partnered with Unisys to protect critical data over an open, public WiFi solution.

With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.

According to new research conducted by the Ponemon Institute, Australia and New Zealand have the highest levels of data breaches out of the nine countries investigated. This was linked to heavy investment in security detection and an under-investment in security and vulnerability response capabilities

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.